Anda di halaman 1dari 63

WiFi Exploitation: How passive

interception leads to active exploitation


SecTor Canada
Solomon Sonya @Carpenter1010
The problem always seems to become more tractable when presented with the solution
Solomon Sonya @Carpenter1010
What to Expect

Hand-Waving!
Intro / Background
Building Knowledge Requirement
Deep Dive into 802.11 Protocol
Developing the Sensor
Live Demos!
Tagging and Geotracking people
802.11 Vulnerability Exposure
Security Protocol Enhancement
http://logout.hu/dl/upc/2011-06/230806_gremlin_in_my_computer-lyvind_berget.jpg, Retrieved 17 Sep 13


Future Work
Questions

2 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Whoami

3
Solomon Sonya @Carpenter1010
Security at Present

How far have we come?

Is it good enough?
Discovered vulnerabilities are fixed with patches
Known malware removed with AV (signature based)
Emerging malware detected via baselining (anomaly)
Digitally signed software

We still believe Detection is the key


Avg malware lifespan (depending on source) ~294-300+ days still!

Fallacy with Security:


Current [incorrect] view: start-state is secure, bolt on security from
here
Well remain ahead of the adversary ;-)

WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Anatomy of a Cyber Attack
Reconnaissance

Scanning

Penetration

Privileges+ Pivot
+
Pillage Paralyze

Stealth & Cover Tracks


Persistence
Solomon Sonya @Carpenter1010
Source: Solomon Sonya @Carpenter1010
Updated Anatomy of a Cyber Attack
Social
Engineering Active &
Reconnaissance/Research Passive
Water-Hole
Ping Sweep
Drive-By
ARP Scan
Phishing Stage Exploits Scan Targets Port Knock
XSS
DNS Lookups
Penetration
Protocols
IP Reservations
Trojan Privileges++ Pivot
Management
Insider Protocols
Pillage Paralyze
Embedded
Devices

Evade Detection Maintain Access

Source: Solomon Sonya @Carpenter1010


Security of the Future

Root of the problem lies with how security is considered


during creation and deployment:
Bolted-on vrs. Built-in approaches

Integration of Smart Devices


A countrys greatest spy

IoT Are we ready?

WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Cell Phones: A countrys greatest spy

When was the last time you audited the permissions granted to your apps?
Is all of this necessary to show a light? (I would avoid apps like these!)

http://www.snoopwall.com/wp-content/uploads/2014/10/Flashlight-Spyware-
Appendix-2014.pdf

Really?!!!
WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Thought Question

Even if we secured it all


What are we doing still
to secure the protocols
these devices are using to
communicate?
WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
How did we get here

Researching threat intelligence last year

Sitting at an airport enroute to a conference, watching


people pass by, I wondered if it is possible if I could
determine where each person is coming from a priori

Knew people usually carried cell-phone, smart device,


and/or laptop on travels and these devices are constantly
probing to connect to a known network

Hackers Mantra: I wonder what happens if

10 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
The Research has begun!
Developed the following research questions to direct new research project:

Is it possible to intercept PNL (preferred network list) probes to fingerprint


certain people?

If so, can a profile be created to reveal the area-of-habitation (likely places of


work, live, play)

Can we determine a likely device and alert on likely places of interest such that
we can identify a person that works/lives at specific places? (Think Intel, Google,
military, etc)

Can we expand profile on a person to determine their previous geolocations,


SSIDS, and activity times within an area such that we can know when to expect a
person within a particular area? (think home and work, etc)

Determining each devices PNL, can we establish a rogue AP and MiTM a


users device to route all traffic through our machine without the victims
knowledge?!!!!

Spoiler Alert:YES YOU CAN!!!! Lets see how!


11 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Initial Knowledge Required

802.11 Frames:
Management Frames: Setup and maintain communications
Authentication, Deauthentication
Association, Disassociation
Synchronization Messages
Probe
Beacon

Control Frames: Assist in frame delivery and reduces collisions


Acknowledgements, Request/Clear to Send, Block, Poll, End

Data Frames: Transport data from higher layers (HTTP, etc)

802.11 Client Authentication Process

12 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Initial Knowledge Required

Distributed Computing (Efficiency, Optimization,


Updates)

Socket Programming (Connections, Tokenization)

Threads

Wrappers(Worker Process, Conversion, Parsing,


Encryption, etc)

Coding not your thing? No problem, just use Theia!


Demo coming in a few slides from now!

13 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Deep Dive: Management Frames - 1

Request / Response Frames

Authentication Frame
Network member (wireless device NIC) signifies intention to join membership with access
point (AP)

Deauthenticaiton Frame
Access point sends frame to member to terminate <secure> connection
This packet must be accepted and immediately terminates communications

Association Frame
Synchronize resources between AP and NIC
NIC exchanges supported data rates, SSID, Encryption Protocol
If accepted, response from AP allows NIC to communicate with AP
Reassociation similar used when NIC roams to AP with stronger signal

Disassociation Frame
NIC wishes to gracefully terminate the association to allow the AP to reallocate memory

14 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Deep Dive: Management Frames - 2

Probe Request Frame * * * (Think Marco Polo)


NIC queries for available APs or specific AP containing SSID within range
Transmitted on every channel the NIC supports to discover every compatible
AP and AP with requested SSID
Supports roaming (with reassociation) to maintain established connection

Probe Response * * *
APs respond to requesting clients and provides synchronization information
(data rates, SSID*, Encryption Protocol, etc)
Cloaked: AP will respond if probe includes correct SSID
Discover cloaked AP when associated member joins and probes for hidden
SSID

Beacon Frame * * *
AP periodically broadcasts its presence and connection information (BSSID,
supported data rates, Encryption Protocol, SSID (if not hidden)
Cloaked: AP sends beacons, but omits SSID

15 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Deep Dive: Control / Data Frames

Control Frames
Optional Frames: Request to Send (RTS) and Clear to Send
(CTS)
Reduces frame collision
Not too common, but seen when AP has hidden SSID

Data Frames
Transport data frames after NIC has associated with AP

16 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
802.11 Pertinent Frame Subtype Identifiers

Authentication 0x0b
Deauthentication 0x0c
Association Request 0x00
Association Response 0x01
Reassociation Request 0x02
Reassociation Response 0x03
Probe Request 0x04 * * * (NIC is in the area)
Probe Response 0x05 (now know AP is in the area)
Beacon 0x08 (now know AP is in the area)
Request to Send (RTS) 0xb0 (usually present with hidden Aps)
Clear to Send (CTS) 0xc0

Control and Data frames handled in future research

More Info: https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-traces

17 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
So What do we do with this information?

Lets bring it together by understanding the


18
802.11 Authentication Process, PNL, and then lets demo!
Solomon Sonya @Carpenter1010
Client Authentication Process and PNL

BROADCAST Device Access Point

NETGEAR Probe Beacon

http://www.alohaorganizers.com/4-
productivity-tools-already-exist-iphone/

linksys
Probe Response
http://www.alohaorganizers.com/4-productivity-tools-already-exist-iphone/

Free_Airport_WiFi

Authentication Response

Device routinely probes to


discover available access points Association Response
in the area and rejoin
previously associated networks
Time
Client Probe Activity Client Authentication Process

19 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Lets Build the Sensor!

20
Solomon Sonya @Carpenter1010
Hardware Setup on the cheap

Minimum http://mindprod.com/jgloss/wireshark.html

Wireless Card (Alfa Card)


Wireshark (Tshark)
*NIX OS (Kali 2.x.x) TShark

KALI LINUX

Extra Credit
Long Range, High Gain WiFi Antennae BAA (12dbi Antennae)
GPS Receiver (GlobalSat BU-353-S4 USB GPS Receiver)

21 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Intercepting Frames to Begin Analysis

Collection process: acquire/query, parse, analyze/interpret,


present, visualize

What data should we collect?

How do we collect it?

Lets begin with the protocol analyzer Tshark (shortlist)


-Y wlan.fc.type T fields Focus and filter on 802.11 protocol
-e wlan.fc.subtype Display different frame types (mgt, ctrl)
-e wlan.sa Display transmitter MAC address
-e wlan.da Display receiver MAC address
-e wlan Display WiFi protocol information
-e wlan_mgt.ssid Display the SSID (if present)

22 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
What can we do at this point?

Active devices within range


Preferred Network List broadcasted by active devices
MAC addresses for devices and access points
SSIDs broadcasted by non-hidden Access Points
Vendor identifying information (when linked to OUI
database)

WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Sensor Construction

24 Solomon Sonya @Carpenter1010


Initial Sensor Construction

What did we first capture?

WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
How do we process this information
to derive meaning from the data?

Everything
26
should be made as simple as possible, but not simpler. Albert Einstein
Solomon Sonya @Carpenter1010
Frame Acquisition Process

Process:
Acquire/Query, Parse, Analyze/Interpret, Present, Visualize
Recall:

If we build our own sensor, what components are required?


Wouldnt it be nice if we had a tool to process all of this
information for us?
Options you could use: Kismet, NetStumbler, inSSIDer, Airocrack-
ng suite OR, you can build your own and add custom features
specific to your environment I chose the latter!

27 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Components to Build the Sensor
Suite
802.11 Receiver/Antennae (Sensor) - Theia_Sensor
GPS Receiver (GPS Collector) - GPS_Collector
IEEE OUI Specification - Theia_OUI
Geo-Location Retrieval Agent - Theia_GEO
Collector: Acquire/Query, Parse, Analyze/Interpret, Present - Theia_Collector
User Interface:Visualize - Theia_Interface

GPS Collector GPS Collector GPS Collector



Sensor Sensor Sensor

OUI Agent Theia Interface


Collector
Geo-Retrieval Theia Interface

Log
WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Enough Talk DEMO!!!!!

Solomon Sonya @Carpenter1010


Theia Sensor Suite

Distributed Wireless Sensor Suite to acquire, analyze ,


process, and visualize data extracted from 802.11 frames
Extensible: Allows multiple sensor integration back into
the central collector (s)
Displays linkage between PNL from each device and APs
within the area
Provides geolocation ability to display and map locations
where a device (and user) have been
Provides tagging, alert, and notification capabilities for
entry and departure of devices and base stations

30 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia Introduction and Live Demo

31 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia Introduction and Live Demo

32 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia Introduction and Live Demo

33 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia Introduction and Live Demo

34 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
So What Have We Discovered so far

35
Solomon Sonya @Carpenter1010
So What Have We Discovered so far

Device Profile (Vendor, MAC, etc)


Device PNL (full probing list)
Relative Proximity of devices within range of sensor (RSSI)
Arrival and Departure Activity Window
Encryption Specifications for each requested SSID
Frequency and communication channel for each device

WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Vulnerability Exposure [1]

Profiling People (e.g., social engineer connection to


planted AP, you can now specifically tag an individual
person to a device)
Intercepting frames from a device can reveal much more
than details about the device, but locations of the user!

WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Geo-Location Tracking and Tagging

Hello there, simply because you left your WiFi enabled


I now know where youve been
38 Solomon Sonya @Carpenter1010
Enriching the Database

War-Driving
Wigle.net

WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia Live Geo-Tracking Demo

40 Solomon Sonya @Carpenter1010


Theia Live Geo-Tracking Demo

41 Solomon Sonya @Carpenter1010


Theia Live Geo-Tracking Demo

42 Solomon Sonya @Carpenter1010


Theia Live Geo-Tracking Demo

43 Solomon Sonya @Carpenter1010


Theia Live Geo-Tracking Demo

44 Solomon Sonya @Carpenter1010


Vulnerability Exposure

45
Solomon Sonya @Carpenter1010
Vulnerability Exposure [2]

802.11 protocol fails to tuple SSID to geo-location, BSSID


Your PNL is blindly built on a system of trust surely the AP that responds to your
probe is legit right?... This leaves room for exploitation since any device will suffice!
Thus, if another device suddenly comes into the area that matches your probe, your
device will attempt to authenticate with it
This is especially dangerous if authenticating to OPEN WiFi networks!
Dont believe me? Welp, lets start further exploitation with the WiFi Pineapple
and then build our own attacks to go after victim devices

http://www.reidlitchfield.com/these-arent-the-droids-youre-looking-for/

This is the access point you are looking https://www.wifipineapple.com/

for
WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
MiTM attack via WiFi Pineapple

47 Solomon Sonya @Carpenter1010


802.11 Protocol Security
Recommendations

Solomon Sonya @Carpenter1010


Security Recommendation
802.11 Protocol Enhancement
Devices should restrict full broadcast of entire PNL unless within range of known BSSID
Update required to tuple SSID, BSSID(MAC), and GPS Coordinates to known SSID and base station
Notify when anomaly detected

802.11 MiTM Mitigation


Never store OPEN WiFi SSIDs on your devices
If so, device should notify when reassociated to previous base station

Geo-Location tracking and Personnel Profiling Mitigation


Remove all inactive SSIDs from devices
Disable WiFi when not in active use

Audit active WiFi connections on devices

Rename AP SSID broadcasts (it turns out less unique is actually safer for you in this case!)

A new capability is required and we must audit 802.11 spectrum (stay tuned,
Connectionless (C)overt Channel: data-exfil and C2 module release in the works coming next
summer) simply from 802.11 frames whose auditing this right now???
We can't solve problems by using the same kind of thinking
we used when we created them. Albert Einstein
WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Configuring and Running Theia

50
Solomon Sonya @Carpenter1010
Establishing Theia Sensor Suite

theia_oui.exe [*NIX] or [windows]


Will autostart and establish serversocket for new connections
theia_geo.exe [*NIX] or [windows]
Will autostart, establish serversocket for new connections, and allow you to import geo-location
database table
theia_sensor.exe [*NIX only] because of the wifi drivers
Will autostart, search for wireless interfaces, bind to interface, establish serversocket for new
connections, display 802.11 collected frames ready for transmission to collector
GPS_collector.exe [*NIX only]
GPS agent, autostarts, binds to GPS receiver, displays telemetry data from receiver, establishes
serversocket to relay data through sockets
First time: will download and configure dependencies for GPS reception
Connect theia_sensor.exe to GPS_collector.exe
theia_collector.exe [*NIX] or [windows]
Will autostart and establish serversocket for new connections
Connects to theia_oui.exe, theia_geo.exe, theia_sensor.exe, theia_interface.exe
Collected frames will now be processed by the system ready for visualization
theia_interface.exe [windows only until Java1.8 FX release on *NIX]
User Interface providing visualization from collector
51 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Upcoming Features / Releases

Light-weight deployment
module to Raspberry Pi
Sensor distribution package for
Windows OS
Simultaneous multi-antennae
integration
Crowd-source SSID database (distributed sharing)
Increased accuracy: GEO lat/lon to address
Additional wardriving compatibility with Kismet and
Netstumbler

52 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Acknowledgements:
SecTor, Toronto, Ontario, Canada
Wigle.net, @bobzilla
Google
Vivek Ramachandaran, @securitytube
Sushail M. The Boss @hackcon

Solomon Sonya @Carpenter1010


SolomonSolomon
Sonya Sonya
@Carpenter1010
@Carpenter1010
WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia_OUI

Provides Vendor lookup information for detected MACs


java jar theia_oui.jar
(I have already prepackaged the OUI table within the program. )

55 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia_Geo

Provides Geo coordinates lookup for detected SSIDs


java jar theia_geo.jar
Import geo-database table configuration file(s)

56 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia_Collector

Heart and Engine of the entire system - Processes raw sensor data from
theia_sensor to establish appropriate linkages ready to visualize in the interface
Self configures environment ready for you to connect to
theia_geo, theia_oui, theia_sensor, theia_interface
java jar theia_collector.jar

57 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
GPS_Collector (OPTIONAL)

Interfaces with GPS receiver to supply GPS data to all connected sockets
java jar gps_collector.jar
NOTE: If this is the first time running, I programmed it to configure your
system for you, and then interface with GPS receiver

58 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia_Sensor

Actual sensor capturing 802.11 frames and transmitting to connected


Theia_Collectors
java jar theia_sensor.jar
After started, connect to GPS_Collector.jar (if applicable) using command:
gps_connect <IP> <PORT>

59 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Theia_Interface

User Interface to visualize data intercepted by Theia Sensor Suite


Connects to Theia_Collector
java jar theia_interface.jar

60 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Building the Sensor - 1
Determine wireless interfaces and place into monitor mode
ifconfig
ifconfig wlan<#> down
iwconfig wlan<#> mode monitor
ifconfig wlan<#> up

Frequency Hopping!
Very important otherwise, youll capture only on 1 channel
There are scripts to do this, well implement programmically based on our interrupt timer
iwconfig wlan<#> channel <#>
(well code this later in the presentation)

GPS Collector

ServerSocket

Transmission of frames across connected sockets

61 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Building Sensor
//Remaining slides will cover development of the sensor programically

GPS_Collector
Interfacing with GPS daemon, process and present telemetry
Sensor
Reading 802.11 frames directly from wireless interface card
Geo
Wigle.net API
Database construction
Google Map API construction
OUI
IEEE specification, HashTable construction for efficient retrieval
Collector
Most critical and robust component - HashMap, TreeMap, LinkedList required to efficiently
store and link devices
Interface
Processing all data from Collector into User Interface
WarDriving

62 WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010
Upcoming Features

63
Solomon Sonya @Carpenter1010